Cluster Wide Setup
~~~~~~~~~~~~~~~~~~
-The cluster wide firewall configuration is stored at:
+The cluster-wide firewall configuration is stored at:
/etc/pve/firewall/cluster.fw
`[OPTIONS]`::
-This is used to set cluster wide firewall options.
+This is used to set cluster-wide firewall options.
include::pve-firewall-cluster-opts.adoc[]
`[RULES]`::
-This sections contains cluster wide firewall rules for all nodes.
+This sections contains cluster-wide firewall rules for all nodes.
`[IPSET <name>]`::
----
[OPTIONS]
-# enable firewall (cluster wide setting, default is disabled)
+# enable firewall (cluster-wide setting, default is disabled)
enable: 1
----
The following traffic is filtered by the default firewall configuration:
-Datacenter incomming/outgoing DROP/REJECT
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Datacenter incoming/outgoing DROP/REJECT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-If the input/output policy for the firewall is set to DROP/REJECT, the following
-traffic is still allowed for the host:
+If the input or output policy for the firewall is set to DROP or REJECT, the
+following traffic is still allowed for all {pve} hosts in the cluster:
* traffic over the loopback interface
* already established connections
-* traffic using the igmp protocol
-* tcp traffic from management hosts to port 8006 in order to allow access to
-the web interface
-* tcp traffic from management hosts to the port range 5900 to 5999 allowing
-traffic for the VNC web console
-* tcp traffic from management hosts to port 3128 for connections to the SPICE
-proxy
-* tcp traffic from management hosts to port 22 to allow ssh access
-* udp traffic in the cluster network to port 5404 and 5405 for corosync
-* udp multicast traffic in the cluster network
-* icmp traffic type 3,4 or 11
+* traffic using the IGMP protocol
+* TCP traffic from management hosts to port 8006 in order to allow access to
+ the web interface
+* TCP traffic from management hosts to the port range 5900 to 5999 allowing
+ traffic for the VNC web console
+* TCP traffic from management hosts to port 3128 for connections to the SPICE
+ proxy
+* TCP traffic from management hosts to port 22 to allow ssh access
+* UDP traffic in the cluster network to port 5404 and 5405 for corosync
+* UDP multicast traffic in the cluster network
+* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
+ (Time Exceeded)
The following traffic is dropped, but not logged even with logging enabled:
-* tcp connections with invalid connection state
-* Broad-, multi- and anycast traffic not related to corosync
-* tcp traffic to port 43
-* udp traffic to ports 135 and 445
-* udp traffic to the port range 137 to 139
-* udp traffic form source port 137 to port range 1024 to 65535
-* udp traffic to port 1900
-* tcp traffic to port 135, 139 and 445
-* udp traffic originating from source port 53
-
-The rest of the traffic is dropped/rejected and logged.
+* TCP connections with invalid connection state
+* Broadcast, multicast and anycast traffic not related to corosync, i.e., not
+ coming through port 5404 or 5405
+* TCP traffic to port 43
+* UDP traffic to ports 135 and 445
+* UDP traffic to the port range 137 to 139
+* UDP traffic form source port 137 to port range 1024 to 65535
+* UDP traffic to port 1900
+* TCP traffic to port 135, 139 and 445
+* UDP traffic originating from source port 53
+
+The rest of the traffic is dropped or rejected, respectively, and also logged.
This may vary depending on the additional options enabled in
*Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering.
-Please inspect the output of
+[[pve_firewall_iptables_inspect]]
+Please inspect the output of the
+----
# iptables-save
+----
-to see the firewall chains and rules active on your system.
-
-VM/CT incomming/outgoing DROP/REJECT
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This drops/rejects all the traffic to the VMs, with some exceptions for DHCP, NDP,
-Router Advertisement, MAC and IP filtering depending on the set configuration.
-The same rules for dropping/rejecting packets are inherited from the datacenter,
-while the exceptions for accepted incomming/outgoing traffic of the host do not
-apply.
+system command to see the firewall chains and rules active on your system.
+This output is also included in a `System Report`, accessible over a node's
+subscription tab in the web GUI, or through the `pvereport` command line tool.
-Again, please inspect the output of
+VM/CT incoming/outgoing DROP/REJECT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- # iptables-save
+This drops or rejects all the traffic to the VMs, with some exceptions for
+DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
+configuration. The same rules for dropping/rejecting packets are inherited
+from the datacenter, while the exceptions for accepted incoming/outgoing
+traffic of the host do not apply.
-to see in detail the firewall chains and rules active for the VMs/CTs.
+Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
+to inspect all rules and chains applied.
Logging of firewall rules
-------------------------
By default, all logging of traffic filtered by the firewall rules is disabled.
-To enable logging, the `loglevel` for incommig and/or outgoing traffic has to be
+To enable logging, the `loglevel` for incoming and/or outgoing traffic has to be
set in *Firewall* -> *Options*. This can be done for the host as well as for the
VM/CT firewall individually. By this, logging of {PVE}'s standard firewall rules
is enabled and the output can be observed in *Firewall* -> *Log*.
[width="25%", options="header"]
|===================
| loglevel | LOGID
-| nolog | no log
+| nolog | --
| emerg | 0
| alert | 1
| crit | 2
Suricata IPS integration
~~~~~~~~~~~~~~~~~~~~~~~~
-If you want to use the http://suricata-ids.org/[Suricata IPS]
+If you want to use the https://suricata-ids.org/[Suricata IPS]
(Intrusion Prevention System), it's possible.
Packets will be forwarded to the IPS only after the firewall ACCEPTed
Ports used by {pve}
-------------------
-* Web interface: 8006
-* VNC Web console: 5900-5999
-* SPICE proxy: 3128
-* sshd (used for cluster actions): 22
-* rpcbind: 111
-* corosync multicast (if you run a cluster): 5404, 5405 UDP
-
+* Web interface: 8006 (TCP, HTTP/1.1 over TLS)
+* VNC Web console: 5900-5999 (TCP, WebSocket)
+* SPICE proxy: 3128 (TCP)
+* sshd (used for cluster actions): 22 (TCP)
+* rpcbind: 111 (UDP)
+* sendmail: 25 (TCP, outgoing)
+* corosync cluster traffic: 5404, 5405 UDP
+* live migration (VM memory and local-disk data): 60000-60050 (TCP)
ifdef::manvolnum[]